Securing Your Online Shop

Securing your online shop

Payment Card Industry Data Security Standard

The Payment Card Data Security Standard is a binding set of rules and procedures established by four major credit card companies (Visa, Mastercard, Discover and American Express) in 2004 and is aimed at companies that accept credit cards as payment method. The primary objective of PCI DSS is the prevention of fraud and theft of credit card data on the Internet.

Self-Assessment Questionnaires

Self-Assessment Questionnaires (SAQ) are tools which you may use upon request by your acquirer to determine whether your online shop meets established PCI DSS requirements. Visit PCI DSS Self-Assessment Questionnaire.

SAQ Compliance for Your Online Shop

To ensure the highest level of data security, your acquirer will request from you to fill out a specific Self-Assessment Questionnaire (SAQ) prior to concluding an acceptance contract with you. The handling and management of sensitive financial data in online shops is always a crucial issue in fulfilling the relevant SAQs and obtaining PCI-compliance. However, there is no need for your online shop to handle or store sensitive data since all necessary financial and personal data required for the payment process are handled by the QENTA Checkout Server.

When choosing QENTA as your PCI-compliant third-party payment processor, it becomes much easier for you to comply with the relevant SAQ requested by your acquirer and no additional PCI-compliance for your online shop is required.

Applicable SAQs for QENTA Solutions

There are various SAQ versions available to select from to best suit your business profile. The following SAQs are applicable when using QENTA products:

SAQ version Business scenario Applicable for QENTA solution

SAQ A

Applicable for card-not-present merchants, when all cardholder data functions are outsourced to a PCI-compliant payment processor. Eligible e-commerce implementations: when merchant website is entirely hosted and administered by a compliant third-party payment processor, or provides an iframe to a PCI-compliant third-party payment processor or contains a URL link redirecting consumers from merchant web site to a PCI-compliant payment processor. Visit implementation examples eligible for SAQ A vs. SAQ A-EP for more information and details.

QPAY Checkout Page in native app as web view.

QMORE Checkout Seamless with "PCI DSS SAQ A Compliance" in native app as web view.

SAQ A-EP

Applicable for card-not-present merchants who partially outsource their e-commerce payment channel to PCI DSS validated third parties and don’t electronically store, process or transmit any cardholder data on their systems or premises.

QMORE Checkout Seamless without "PCI DSS SAQ A Compliance" in native app as web view.

SAQ C-VT

Applicable for merchants using only web-based virtual terminals, without electronic cardholder Data Storage.

QCALL Checkout Terminal

SAQ D

All other merchants not covered by any SAQ and all service providers defined by a payment brand as eligible to complete an SAQ.

QFILE Checkout Automated

Put the file(s) where your secret or password is defined within a folder on the file system of your web server which can’t be accessed from users accessing your web server via their web browsers.

Encrypting your online shop

We strongly recommend that you encrypt any communication in your online shop to allow access only by a secure communication via https.

QPAY Checkout Page and QMORE Checkout Seamless also use secure communication based on https and if your online shop or parts of your online shop are accessed by http the consumer in your online shop will receive the security warning from the web browser.

Saving order data and payment process results

We strongly recommend that your online shop saves all relevant order data of each purchase and of each consumer before you start the QPAY Checkout Page or QMORE Checkout Seamless and immediately after the payment has been made by your consumer. This way, you may assign and correlate each order with the relevant payment process results at a later date.

Disabling change of shopping basket

Ensure, according to the functionalities of your online shop, that your consumer has no possibility to change the items in the shopping basket once the payment process was started.

Check all security updates available for all software you use within your online shop, database and web server on a regular basis.

Have a look at OWASP regarding typical security risks and their impacts on online sites.

Scheduled Backups

We recommend you to configure scheduled backups for all order and checkout related information of the consumers of your online shop to ensure that you have these data at your disposal in case of any later complaints or frauds.

Secret

A secret is a pre-shared key which is only known to you, the integrator of the online shop and QENTA Payment CEE.

The secret you’ll get from our support teams is used to secure the transfer of all sensitive parameters and their values between your online shop and the QPAY Checkout Page and QMORE Checkout Seamless.

To ensure a secure communication it’s essential that you NEVER disclose or share your pre-shared key with persons who are not involved in developing the online shop!

Never forward this pre-shared key via unsecured communication channels. When the pre-shared key is submitted by fax make sure that the contents of the fax is disclosed only to the intended and authorized persons!

Never send the secret as a parameter to the QPAY Checkout Page or QMORE Checkout Seamless!

If you suspect that your pre-shared key is known to unauthorized persons contact our integration specialists immediately to request the creation and submission of a new secret.

Fingerprint

A fingerprint is a method to ensure that sensitive parameters and their values sent from your online shop to the QENTA Checkout Server and vice versa are not changed by anyone while transferring the data over the Internet.

A fingerprint is created by concatenating all parameter values to a string and hashing this string by an HMAC-SHA-512 algorithm using the secret as cryptographic key.

When submitting data from your online shop to QENTA Checkout products you also transmit the fingerprint and the name and order of all parameters used for creating the fingerprint. The QENTA Checkout Server then creates the fingerprint of all received parameter values with the specific secret stored in the QENTA Checkout Server. If the fingerprint you sent us and the fingerprint computed on the QENTA Checkout Server are identical, the values of the parameters transmitted by you were not modified, e.g. during a man-in-the-middle attack.

For response fingerprint calculation: if magic_quotes_gpc or magic_quotes_runtime is enabled on your server or in your shop, use stripslashes to remove unnecessary slashes within the fingerprint seed.

Firewall Settings

When integrating QPAY Checkout Page or QMORE Checkout Seamless into your online shop you may need to adjust the security settings of your firewall and to enable outgoing communication to the server:
api.qenta.com-212.183.46.18

To receive confirmation information from QENTA regarding a transaction via the confirmUrl you need to enable incoming communication from our following IP-addresse 212.183.46.16/28.